Bitcoin Forum
November 10, 2024, 01:39:58 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: |What of a 2FA (using the signing btc-address) for the forum!  (Read 314 times)
Danydee (OP)
Legendary
*
Offline Offline

Activity: 2772
Merit: 1266


OrangeFren.com


View Profile WWW
December 07, 2019, 11:20:23 PM
Last edit: December 08, 2019, 01:07:40 PM by Danydee
 #1

 I think that it would be very great, the smartest two-Factor-Authentificator ever made !
 Just need to sign a message auto-generated, enter the signature, and it's done !!


 Would be a very efficient way securising the Bitcointalk accounts. after enabling, can asked a verification just for Email / password changing.. for just the major operations!

khaled0111
Legendary
*
Offline Offline

Activity: 2702
Merit: 3045


Top Crypto Casino


View Profile WWW
December 07, 2019, 11:49:48 PM
Merited by LoyceV (2), Danydee (1)
 #2

theymos once said that a similar feature would be implemented in the new forum software (that was 5 years ago)  Cheesy
Fancy Authentication
In addition to normal password authentication, the forum should support various kinds of of
alternative authentication. At least password auth, email verification, secret questions, OpenID,
PGP, OpenVPN (automatic creation of subnets + IP source verification), and Bitcoin address
signing should be supported
, with multiple allowable credentials for each auth type.

However, if it becomes mandatory to sign a message whenever a member logs in, it would be a real pain for those who browse the forum using their smartphones.
If implemented, it should be up to the user to decide whether he wants to activate this feature or not.

Danydee (OP)
Legendary
*
Offline Offline

Activity: 2772
Merit: 1266


OrangeFren.com


View Profile WWW
December 08, 2019, 12:40:49 AM
 #3

  Not to authentificate every login, May the forum really need it now to prevent from the accounts Hacking/Hijacking, asking for authentication just when needing change Email or Password. Bitcoin address signing could be the easiest way, number of the other methods can be subject to the LOST and may necessitate additionals tools, Bitcoin address Signing is just like PGP, but more faster and more lite!

JohnBitCo
Sr. Member
****
Offline Offline

Activity: 2030
Merit: 356


View Profile
December 08, 2019, 09:48:47 AM
 #4

I thing that it would be very great, the smartest two-Factor-Authentificator ever made !
 Just need to sign a message auto-generated, enter the signature, and it's done !!


 Would be a very efficient way securising the Bitcointalk accounts. after enabling, can asked a verification just for Email / password changing.. for just the major operations!

There is a mixed feeling on the topic about the 2fa to be implemented in the forum or not.  Stake your Bitcoin address here is already a good option to get back your account if ever hacked. Also a hacked account is always tagged on request of the original owner and it becomes of no use for the hacker to be use in bounties or whatever purpose.
SFR10
Legendary
*
Offline Offline

Activity: 3178
Merit: 3529


Crypto Swap Exchange


View Profile WWW
December 08, 2019, 11:40:01 AM
 #5

However, if it becomes mandatory to sign a message whenever a member logs in, it would be a real pain for those who browse the forum using their smartphones.
AFAIK, most smartphone users remain logged in so that shouldn't really be a big deal for them.
- I think only 2FA [with an authenticator app] will be added for entering the forum.

asking for authentication just when needing change Email or Password.
Since 2FA is already part of "Planned Features [most likely for login purposes]", I think it'll be fairly easy to implement it for email/password changes.

Planned Features
  • 2-Factor Authentication

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Danydee (OP)
Legendary
*
Offline Offline

Activity: 2772
Merit: 1266


OrangeFren.com


View Profile WWW
December 08, 2019, 01:03:37 PM
 #6

I thing that it would be very great, the smartest two-Factor-Authentificator ever made !
 Just need to sign a message auto-generated, enter the signature, and it's done !!


 Would be a very efficient way securising the Bitcointalk accounts. after enabling, can asked a verification just for Email / password changing.. for just the major operations!

There is a mixed feeling on the topic about the 2fa to be implemented in the forum or not.  Stake your Bitcoin address here is already a good option to get back your account if ever hacked. Also a hacked account is always tagged on request of the original owner and it becomes of no use for the hacker to be use in bounties or whatever purpose.
Recovering Hacked accounts can sometimes take very much time.
 And Imagine you gets your account hacked in a period you are away from the forum.., Here is the purpose, limiting the accounts hack!

 

taufik123
Legendary
*
artcontest pizza
Offline Offline

Activity: 2702
Merit: 1855


Rollbit.com | #1 Solana Casino


View Profile
December 08, 2019, 01:52:35 PM
 #7

Recovering Hacked accounts can sometimes take very much time.
 And Imagine you gets your account hacked in a period you are away from the forum.., Here is the purpose, limiting the accounts hack!
there must be free time to take care of accounts that were hacked. If it is needed at least you take care of it. Include a Bitcoin email and sign message to prove that it's your account.
I have also experienced the same thing. The account recovery team is very responsive and immediately resolves your complaints against the hacked account, if you provide all the proofs


Recovering hacked/lost accounts
If your account was hacked

Email recoveries...@bitcointalk.org, ideally from the account's email address.
Include your username and a brief description of the details of how/when the account was hacked. A signature will likely be required.

If you forgot the password or similar

Try using the email password reset. Check that the email isn't ending up in your spam folder. If that doesn't work, email recoveries...@bitcointalk.org, ideally from the account's email address. Include your username. A signature will likely be required

 
█▄
R


▀▀██████▄▄
████████████████
▀█████▀▀▀█████
████████▌███▐████
▄█████▄▄▄█████
████████████████
▄▄██████▀▀
LLBIT▀█ 
  TH#1 SOLANA CASINO  
████████████▄
▀▀██████▀▀███
██▄▄▀▀▄▄████
████████████
██████████
███▀████████
▄▄█████████
████████████
████████████
████████████
████████████
█████████████
████████████▀
████████████▄
▀▀▀▀▀▀▀██████
████████████
███████████
██▄█████████
████▄███████
████████████
█░▀▀████████
▀▀██████████
█████▄█████
████▀▄▀████
▄▄▄▄▄▄▄██████
████████████▀
........5,000+........
GAMES
 
......INSTANT......
WITHDRAWALS
..........HUGE..........
REWARDS
 
............VIP............
PROGRAM
 .
   PLAY NOW    
FIFA worldcup
Full Member
***
Offline Offline

Activity: 1134
Merit: 105


View Profile WWW
December 08, 2019, 02:17:04 PM
 #8

I thing that it would be very great, the smartest two-Factor-Authentificator ever made !
 Just need to sign a message auto-generated, enter the signature, and it's done !!


 Would be a very efficient way securising the Bitcointalk accounts. after enabling, can asked a verification just for Email / password changing.. for just the major operations!

There is a mixed feeling on the topic about the 2fa to be implemented in the forum or not.  Stake your Bitcoin address here is already a good option to get back your account if ever hacked. Also a hacked account is always tagged on request of the original owner and it becomes of no use for the hacker to be use in bounties or whatever purpose.
Recovering Hacked accounts can sometimes take very much time.
 And Imagine you gets your account hacked in a period you are away from the forum.., Here is the purpose, limiting the accounts hack!

 

Why would let the account get hacked in the first place ?  Almost everywhere where the information and data is important we see 2fa implemented. Bitcoin accounts are precious and therefore we should have an option to secure the account with 2fa.   If some people don't like 2fa, they can ignore it if this feature is implement optional and not mandatory.
Danydee (OP)
Legendary
*
Offline Offline

Activity: 2772
Merit: 1266


OrangeFren.com


View Profile WWW
December 08, 2019, 07:48:59 PM
 #9

@FIFA worldcup,  Exactly !

o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18746


View Profile
December 08, 2019, 08:57:54 PM
 #10

I would love to have 2FA for the forum. Ideally hardware keys, but even just standard authenticators apps would be a big step forward. However, I accept that it is never going to happen on the SMF software, so the best we can hope for is for it to be implemented in Epochtalk.

In the meantime, there are plenty of other things you can do to help secure your account. Use a password manager if you aren't already, and get it to generate a long and random password for your account. Do not reuse this password anywhere else. Go in to your profile settings and hide your email address. Consider even changing your email address to a new hidden one if yours is widely known. Make sure your email account also has a (different) long and random password on it. Don't log in to the forum using any device which you don't own, and ideally don't log in via any public internet network. If you must use a public connection, use a VPN to protect yourself. Stake an address in the thread linked above. Make sure no one knows your captcha bypass code, and reset it if you think they might (https://bitcointalk.org/captcha_code.php).
alani123
Legendary
*
Offline Offline

Activity: 2576
Merit: 1510



View Profile
December 08, 2019, 09:06:43 PM
 #11

2-fa is a feature that has been requested already and I would personally love to see it. But I don't think that it's worth to try the BTC authorization in this forum. Maybe something as experimental would have been better for smaller communities.

Also, provided that epochtalk is being developed, I wonder how much point there is adding so many new features to the current forum

███████████████████████████
███████▄████████████▄██████
████████▄████████▄████████
███▀█████▀▄███▄▀█████▀███
█████▀█▀▄██▀▀▀██▄▀█▀█████
███████▄███████████▄███████
███████████████████████████
███████▀███████████▀███████
████▄██▄▀██▄▄▄██▀▄██▄████
████▄████▄▀███▀▄████▄████
██▄███▀▀█▀██████▀█▀███▄███
██▀█▀████████████████▀█▀███
███████████████████████████
 
 Duelbits 
██
██
██
██
██
██
██
██

██

██

██

██

██
TRY OUR UNIQUE GAMES!
    ◥ DICE  ◥ MINES  ◥ PLINKO  ◥ DUEL POKER  ◥ DICE DUELS   
█▀▀











█▄▄
 
███
▀▀▀
███
▀▀▀
███
▀▀▀
███
▀▀▀

███
▀▀▀
███
▀▀▀
 
███
▀▀▀

███
▀▀▀
███
▀▀▀
███
▀▀▀
███
▀▀▀
███
▀▀▀
 
███
▀▀▀
███
▀▀▀
███
▀▀▀
███
▀▀▀

███
▀▀▀
███
▀▀▀
 
███
▀▀▀
███
▀▀▀
███
▀▀▀

███
▀▀▀
███
▀▀▀
███
▀▀▀
 
███
▀▀▀
███
▀▀▀

███
▀▀▀
███
▀▀▀
███
▀▀▀

███
▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
 KENONEW 
 
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀█











▄▄█
10,000x
 
MULTIPLIER
██
██
██
██
██
██
██
██

██

██

██

██

██
 
NEARLY
UP TO
50%
REWARDS
██
██
██
██
██
██
██
██

██

██

██

██

██
[/tabl
lulucrypto
Sr. Member
****
Offline Offline

Activity: 709
Merit: 336


You need someone to develop your Web project ?


View Profile WWW
December 08, 2019, 11:03:13 PM
 #12

The idea of integrating this kind of two-factor check for the email / password change is excellent !

To be honest, I would like to develop a pluggin for SMF in order to add certain functions to the forum, but I do not know if Theymos would accept to install it on the forum (In Open-source version).

This idea could be included in this pluggin.

Web developer.0x0AB75f882ef60731e02212fFcfBA7C5ce6e0B4F3
LTU_btc
Legendary
*
Offline Offline

Activity: 3234
Merit: 1375


Slava Ukraini!


View Profile WWW
December 08, 2019, 11:44:17 PM
 #13

2FA on Bitcointalk was discussed so many times already, but this is something different. 2Fa with signed message from Bitcoin address would be very interesting addition.
But probably it would be less convenient than standard 2FA apps. Especially if you're not using option "always stay logged in" and logging in every time when you visit forum. Let's say that I use hardware or desktop wallet and I want to login to forum on mobile being away from home. It would be impossible for me to do it. I understand that it would be optional thing, but would be good to have more standard 2Fa as alternative.
And yeah, we are on crypto forum, so it would be nice to use more opportunities give for us by Bitcoin.

eddie13
Legendary
*
Offline Offline

Activity: 2296
Merit: 2270


BTC or BUST


View Profile
December 09, 2019, 12:35:21 AM
 #14

I think that it would be best to completely do away with usernames, emails, and passwords, and just register a BTC public address to make an account..

To log in, enter your BTC public address, click login and it gives you a timestamp hashed against your public key that you must sign within 1-3 minutes, enter the BTC signed message of the timestamp hash like a password, BTCT verifies your signature, you are logged in..

Simple..

Let an unlimited amount of "Anonymous" usernames exist and make usernames optional, like 4chan but you could only ever choose one username..
Make emails optional..
No passwords..

No captcha for login, just reduce it to 10 tries an hour..
You can't bruteforce a BTC signed message signature.. No hacked password hashes problems ever again..

It would give everyone excellent practice on handling their keys...
Lose your keys = lose your account, no recourse you LOSE..


I may be missing a lot here because I'm pretty code stupid, but I think that setup would be epic..

Chancellor on Brink of Second Bailout for Banks
masulum
Legendary
*
Offline Offline

Activity: 2324
Merit: 1604

hmph..


View Profile WWW
December 09, 2019, 10:07:56 AM
 #15

I think that it would be best to completely do away with usernames, emails, and passwords, and just register a BTC public address to make an account..

To log in, enter your BTC public address, click login and it gives you a timestamp hashed against your public key that you must sign within 1-3 minutes, enter the BTC signed message of the timestamp hash like a password, BTCT verifies your signature, you are logged in..

Simple..
<snip>

If my imagine is right, the login page should like this one



or it will different? If I'm right, login with this method will be good, but it will hard to remember the signed message. Of course, we can make a backup, but we must save sign message to all of our device, in case we want to login in mobile.





HOLD...
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18746


View Profile
December 09, 2019, 10:39:24 AM
 #16

If I'm right, login with this method will be good, but it will hard to remember the signed message. Of course, we can make a backup, but we must save sign message to all of our device, in case we want to login in mobile.
You are misunderstanding.

If you just log in with the same signed message every time, then it is no better than a password (albeit a long and random, therefore strong, password). If some malware, phishing, MITM, etc., steals your signed message, then they have access to your account.

In eddie13's suggestion, the forum will provide you with a different unique message which you will have to sign every time you wish to log in. This system should also probably do away with the "always stay logged in" option, so someone intercepting a message once can't have access to your account forever.
khaled0111
Legendary
*
Offline Offline

Activity: 2702
Merit: 3045


Top Crypto Casino


View Profile WWW
December 09, 2019, 12:10:46 PM
 #17

If my imagine is right, the login page should like this one
https://i.ibb.co/rGtp5Rh/image.png
or it will different? If I'm right, login with this method will be good,
No, absolutely not! How can that be a good idea!
It will be easy to hack all accounts that staked their addresses here or anywhere else. Just copy the message and the signed message from there, fill the login form et voilà  Roll Eyes
As o_e_l_e_o explained, you have to sign a different message generated by the forum server each time.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!